View
213
Download
1
Category
Preview:
Citation preview
Page 1
January 16, 2008
Source: 3GPP2 TSG-S WG4 (Security)Contacts: Anand Palanigounder, Chair, TSG-S WG4 ( apg@qualcomm.com )
Zhibi Wang, Vice Chair, TSG-S WG4 ( zhibiwang@alcatel-lucent.com )
ABSTRACT: Identifies the IMS Security framework differences between 3GPP and 3GPP2
Notice: Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. Contributors are also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution.
This document has been prepared by the contributors to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on the contributors. Contributors specifically reserve the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of the contributors other than provided in the copyright statement above.
Differences between 3GPP2 and 3GPP IMS Security Framework – An Analysis
3GPP2 TSG-S WG4 (Security)
Page 23GPP2 IMS Security Framework (from 3GPP2 S.S0086-B)
UE
Secure Mem
UA
HSS
I - CSCF S - CSCF
P - CSCF
5 5
3 3 3 3
4/5 4/5 4/5
1 1
2 2
Transport
Home Network
Home/Serving Network
IMS
Multimedia IP - Networks
Packet Data Subsystem cdma2000® Radio Access
AN
6
7
Page 33GPP2 IMS security Framework - Reference point definitions/differences Overview
IMS Security Frameworks specified in 3GPP2 S.S0086-BIMS Access Security (Ref point 1)
ISIM is replaced with Secure MemoryDifferences in terms of security mechanisms allowedDetails are in slide #4
Network Domain Security (NDS)Ref 2, 3, 4/5 definitions are same as in 3GPP, but the NDS requirements are somewhat differentRef 6/7 not available in 3GPPRef 6 is between HSS and SIP AS in external networksRef 7 is between CSCF and SIP AS in external networksDetails are in slide #7
Page 4
IMS Access Security Differences
Security mechanisms negotiated using RFC 3329 in 3GPP2 IMS are:
tls, digest, ipsec-ike, ipsec-man, and ipsec-3gppipsec-3gpp specified, but other mechanisms currently refer to SIP RFC 3261However, support of “ipsec-3gpp” using IMS AKA mandatoryOnly transport mode currently specified
3GPP IMS supports only “ipsec-3gpp” using IMS AKA
Supports transport mode, tunnel mode with UDP encapsulation for NAT traversal3GPP2 IMS can reuse tunnel mode with UDP encapsulation for NAT traversal as specified in 3GPP3GPP Rel-8 Common IMS added support for: tls, digest (for CableLabs/TISPAN)3GPP2 can reuse tls and digest as profiled in 3GPP Rel-8 IMS
Page 5
Use of Secure Memory within UE
In 3GPP IMS, use of smart card is mandatoryEither ISIM or USIM requiredSpecified AKA algorithms are only examples
3GPP2 IMS, Secure Memory within a UE is used for IMS (i.e., smartcard is not mandatory for IMS access)
The secure memory includes (among other non-security functionalities):
– The IMPI;– At least one IMPU;– Home Network Domain Name;– Support for sequence number checking in the context of the IMS
Domain;– The cdma2000 AKA algorithms (i.e., mandatory to support the
cdma2000 AKA algorithms)– An authentication Key.
Secure Memory can be realized either using an UIM (built into UE), R-UIM or an ISIM.
Page 6
Network Domain Security Architecture
Za Zb
Zb
Zb
SEG A
Security domain A
Security domain B
SEG B
NE A - 1
NE A - 2
Zb
Zb
Zb
NE B - 1
NE B - 2
IKE "connection" 3GPP/3GPP2 Security Association
3GPP2 Security Association
Page 7
Network Domain SecurityNetwork Domain Security
3GPP NDS requires use of Security Gateway (SEG) for Za with IPSec in tunnel mode
Use of SEG for Zb optionalZb also supports IPSec in transport modeRequired to support 3DES and AES for encryption and HMAC-MD5 and HMAC-SHA1 for integrity
3GPP NDS is not just applicable to IMS, but generally used to secure any IP traffic in 3GPP networks3GPP2 NDS only applicable to IMS
supports mesh connection between two networks or network elements. Support of IPSec in tunnel mode mandatory but use is optional
– use of SEG is optional– Can also be used in transport mode (for both Za and Zb)
Also, allows the use of TLSCipher suites requirements not as stringent as 3GPP NDS – only minimum security requirements are defined
Page 8
Conclusion
IMS Security architectures between 3GPP and 3GPP2 are similar in many respects
However, there are some subtle differences to meet cdma2000 market requirementsThese differences need to be documented in 3GPP TSs
Two Change Requests (CRs) are proposed for 3GPP consideration as part of common IMS
One CR to 3GPP TS 33.203 incorporating IMS Access Security related specification text from 3GPP2 S.S0086-B
– 3GPP2 can re-use TLS, Digest, and IPSec tunnel mode with UDP Encapsulation as specified by 3GPP (as included in this CR)
Another CR to 3GPP TS 33.210 incorporating IMS Network Domain Security related specification text from 3GPP2 S.S0086-B
Recommended